Django 5: LogoutView must be called via POST now

2025-04-11 09:37:12 +02:00
parent 86dadac421
commit e5c1bbed4b
9 changed files with 39 additions and 13 deletions
--- a/dav_auth/templates/dav_auth/includes/login_widget.html
+++ b/dav_auth/templates/dav_auth/includes/login_widget.html
@@ -8,7 +8,13 @@
    </button>
    <ul class="dropdown-menu dropdown-menu-right" aria-labelledby="user_dropdown_button">
        <li><a href="{% url 'dav_auth:set_password' %}">{% trans 'Passwort ändern' %}</a></li>
-        <li><a href="{% url 'dav_auth:logout' %}">{% trans 'Logout' %}</a></li>
+        <li>
+            <form method="post" action="{% url 'dav_auth:logout' %}" class="navbar-form">
+                {% csrf_token %}
+                <button id="id_logout_button" type="submit" class="btn btn-sm btn-danger"
+                        style="width: 100%;">{% trans "Logout" %}</button>
+            </form>
+        </li>
    </ul>
 </div>
 {% else %}
--- a/dav_auth/tests/generic.py
+++ b/dav_auth/tests/generic.py
@@ -17,6 +17,10 @@ class SeleniumAuthMixin:
        return driver

    def logout(self, driver):
-        driver.get(self.complete_url(reverse('dav_auth:logout')))
+        #driver.get(self.complete_url(reverse('dav_auth:logout')))
+        dropdown_button = driver.find_element(By.ID, 'user_dropdown_button')
+        dropdown_button.click()
+        logout_button = driver.find_element(By.ID, 'id_logout_button')
+        logout_button.click()
        self.wait_on_presence(driver, (By.CSS_SELECTOR, "#messages .alert-success"))
        return driver
--- a/dav_auth/tests/test_screenshots.py
+++ b/dav_auth/tests/test_screenshots.py
@@ -189,8 +189,10 @@ class TestCase(ScreenshotTestCase):
        dropdown_button = self.wait_on_presence(c, (By.ID, 'user_dropdown_button'))
        dropdown_button.click()
        user_menu = c.find_element(By.CSS_SELECTOR, '#login-widget ul')
-        link = user_menu.find_element(By.PARTIAL_LINK_TEXT, gettext('Logout'))
-        link.click()
+        #link = user_menu.find_element(By.PARTIAL_LINK_TEXT, gettext('Logout'))
+        #link.click()
+        button = c.find_element(By.ID, 'id_logout_button')
+        button.click()
        self.wait_until_stale(c, user_menu)
        self.save_screenshot('logout_succeed', sequence=sequence_name)

--- a/dav_auth/tests/test_urls.py
+++ b/dav_auth/tests/test_urls.py
@@ -6,7 +6,8 @@ from .. import views
 class TestCase(UrlsTestCase):
    urls = (
        Url('/auth/login', 'dav_auth:login', views.LoginView.as_view()),
-        Url('/auth/logout', 'dav_auth:logout', views.LogoutView.as_view(), status_code=302),
+        Url('/auth/logout', 'dav_auth:logout', views.LogoutView.as_view(), status_code=302,
+            http_method='POST'),
        Url('/auth/password', 'dav_auth:set_password', views.SetPasswordView.as_view(),
            redirect='/auth/login?next=/auth/password'),
        Url('/auth/password/recreate', 'dav_auth:recreate_password', views.CreateAndSendPasswordView.as_view()),
--- a/dav_auth/tests/test_views.py
+++ b/dav_auth/tests/test_views.py
@@ -61,7 +61,7 @@ class ViewsTestCase(TestCase):

        response = self.client.post(self.login_url, {'username': self.test_username, 'password': self.test_password})
        self.assertEqual(response.status_code, 200)
-        self.assertFormError(response, 'form', None, self.wrong_credentials_message)
+        self.assertFormError(response.context['form'], None, self.wrong_credentials_message)
        self.assertFalse(response.context['user'].is_authenticated, 'User is logged in')

    def test_integrated_login_fail_with_wrong_credentials(self):
@@ -69,7 +69,7 @@ class ViewsTestCase(TestCase):

        response = self.client.post(self.login_url, {'username': self.test_username, 'password': wrong_password})
        self.assertEqual(response.status_code, 200)
-        self.assertFormError(response, 'form', None, self.wrong_credentials_message)
+        self.assertFormError(response.context['form'],None, self.wrong_credentials_message)
        self.assertFalse(response.context['user'].is_authenticated, 'User is logged in')

    def test_integrated_login_succeed(self):
@@ -88,7 +88,7 @@ class ViewsTestCase(TestCase):
    def test_integrated_logout(self):
        self.client.login(username=self.test_username, password=self.test_password)

-        response = self.client.get(self.logout_url)
+        response = self.client.post(self.logout_url)
        self.assertEqual(response.status_code, 302)
        self.assertEqual(response.url, self.logout_redirect_url)

--- a/dav_base/tests/generic.py
+++ b/dav_base/tests/generic.py
@@ -171,6 +171,8 @@ class Url:  # pylint: disable=too-few-public-methods
        self.location = location
        self.name = name
        self.func = func
+        self.http_method = kwargs.get('http_method', "GET")
+        self.post_data = kwargs.get('post_data', {})
        self.redirect = kwargs.get('redirect', False)
        self.status_code = kwargs.get('status_code', 200)
        self.follow = kwargs.get('follow', False)
@@ -182,7 +184,12 @@ class UrlsTestCase(TestCase):
    def test_locations(self):
        for url in self.urls:
            if url.location:
-                response = self.client.get(url.location, follow=url.follow)
+                if url.http_method == "GET":
+                    response = self.client.get(url.location, follow=url.follow)
+                elif url.http_method == "POST":
+                    response = self.client.post(url.location, data=url.post_data, follow=url.follow)
+                else:  # pragma: no cover
+                    raise NotImplementedError("Method {} is not supported".format(url.http_method))

                if url.redirect:
                    self.assertRedirects(response, url.redirect)
@@ -198,7 +205,13 @@ class UrlsTestCase(TestCase):
    def test_names(self):
        for url in self.urls:
            if url.name:
-                response = self.client.get(reverse(url.name), follow=url.follow)
+                location = reverse(url.name)
+                if url.http_method == "GET":
+                    response = self.client.get(location, follow=url.follow)
+                elif url.http_method == "POST":
+                    response = self.client.post(location, data=url.post_data, follow=url.follow)
+                else:  # pragma: no cover
+                    raise NotImplementedError("Method {} is not supported".format(url.http_method))

                if url.redirect:
                    self.assertRedirects(response, url.redirect)
--- a/dav_events/templates/dav_events/event_update_form.html
+++ b/dav_events/templates/dav_events/event_update_form.html
@@ -51,7 +51,7 @@
        </li>
    </ul>
 </div>
-<form action="" method="post">
+<form id="id_event_update_form" action="" method="post">
    {% csrf_token %}

    {% if is_realized %}
--- a/dav_events/tests/test_screenshots.py
+++ b/dav_events/tests/test_screenshots.py
@@ -544,7 +544,7 @@ class TestCase(SeleniumAuthMixin, RoleMixin, ScreenshotTestCase):
        if screenshots:
            self.save_screenshot('edit-form', sequence=sequence_name)

-        button = c.find_element(By.CSS_SELECTOR, 'form button[type="submit"]')
+        button = c.find_element(By.CSS_SELECTOR, '#id_event_update_form button[type="submit"]')
        button.click()
        self.wait_until_stale(c, button)

--- a/requirements.txt
+++ b/requirements.txt
@@ -1,5 +1,5 @@
 babel
-django<3.3
+django<5.1
 django-bootstrap3
 django-countries
 django-datetime-widget2